Was this page helpful?
Yes No
Tableau Help > Tableau Server Help > 

Configure External SSL

You can configure Tableau Server to use Secure Sockets Layer (SSL) encrypted communications on all external HTTP traffic. Setting up SSL ensures that access to Tableau Server is secure and that sensitive information passed between the web browser and the server or Tableau Desktop and the server is protected. Steps on how to configure the server for SSL are described in the topic below; however, you must first acquire a certificate from a trusted authority, and then import the certificate files into Tableau Server. If you are running a Tableau Server cluster and you want to use SSL, see Configure SSL for a Cluster, below, for recommendations.

  1. Acquire an Apache SSL certificate from a trusted authority (for example, Verisign, Thawte, Comodo, GoDaddy). You can also use an internal certificate issued by your company. Wildcard certificates, which allow you to use SSL with many host names within the same domain, are also supported.

    Note: Be sure to use a SHA-2 (256 or 512 bit) certificate. All major browsers will display warnings when connecting to SHA-1 certificates. By the end of 2017, it's likely that most browsers will no longer connect to servers that are presenting SHA-1 certificates.

    Some browsers will require additional configuration to accept certificates from certain providers. Refer to the documentation provided by your certificate authority.

  2. Place the certificate files in a folder named SSL, parallel to the Tableau Server 10.3 folder. For example:

    C:\Program Files\Tableau\Tableau Server\SSL

    This location gives the account that's running Tableau Server the necessary permissions for the files. You may need to create this folder.

  3. Open the Tableau Server Configuration Utility by selecting Start > All Programs > Tableau Server 10.3 > Configure Tableau Server on the Start menu.

  4. In the Configuration Tableau Server dialog box, select the SSL tab.

  5. Select Use SSL for server communication and provide the location for each of the following certificate files:

    • SSL certificate file—Must be a valid PEM-encoded x509 certificate with the extension .crt.
    • SSL certificate key file—Must be a valid RSA or DSA private key file (with the extension .key by convention). If the certificate key file requires a passphrase enter it in the field, SSL certificate key passphrase. (The passphrase you enter will be encrypted while at rest). Alternatively, you can provide a path to a key file that is not passphrase protected.

      Note: If you create a certificate key file with a passphrase, you cannot reuse the SSL certificate key for SAML.

    • SSL certificate chain file (Optional for Tableau Server, required for Tableau Mobile and Tableau Desktop on the Mac)—Some certificate providers issue two certificates for Apache. The second certificate is a chain file, which is a concatenation of all the certificates that form the certificate chain for the server certificate. All certificates in the file must be x509 PEM-encoded and the file must have a .crt extension (not .pem).
  6. (optional) If you are using SSL for server communication and want to configure SSL communication between Tableau Server and clients using certificates on both the server and clients:

    • Select Use mutual SSL and automatic login with client certificates.

      Note: Tableau Server does not support mutual SSL and SAML together.

    • In SSL CA certificate file, browse to the location for the certificate file. The SSL CA certificate file must be a valid PEM-encoded x509 certificate with the extension .crt.

      Note: If you have multiple trusted Certificate Authorities (CAs) you can copy and paste the entire contents of each CA certificate, including the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines, into a new file, then save the file as CAs.crt. In SSL CA certificate file, browse to the location of this new file.

  7. Click OK. The changes will take effect the next time the server is restarted.

    When the server is configured for SSL, it accepts requests to the non-SSL port (default is port 80) and automatically redirects to the SSL port 443.

    Note: Tableau Server only supports port 443 as the secure port. It cannot run on a computer where another application is using port 443.

    SSL errors are logged in the install directory at the following location. Use this log to troubleshoot validation and encryption issues:

    C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\httpd\error.log

Configure SSL for a Cluster

You can configure a Tableau Server cluster to use SSL. If the primary Tableau Server computer is the only node that is running the gateway process (which it does by default), then that's the only place where you need to configure SSL. See the procedure above for steps.

SSL and Multiple Gateways

A highly available Tableau Server cluster can include multiple gateways, fronted by a load balancer (learn more). If you are configuring this type of cluster for SSL, you have two choices:

  • Configure your load balancer for SSL.Traffic is encrypted from the client web browsers to the load balancer. Traffic from the load balancer to the Tableau Server gateway processes is not encrypted. No SSL configuration in Tableau Server is required, it's all handled by your load balancer.

  • Configure Tableau Server for SSL: Traffic is encrypted from the client web browsers to the load balancer, and from the load balancer to the Tableau Servergateway processes. See the procedure below for details.

Configure a Server Cluster for SSL

When you configure a Tableau Server cluster to use SSL, you place the SSL certificate and key files on every computer that's running a gateway process. To configure a Tableau Server cluster to use SSL:

  1. Configure the external load balancer for SSL passthrough. Or if you want to use a port other than 443, you can configure the external load balancer to terminate the non-standard port from the client. In this scenario, you would then configure the load balancer to connect to Tableau Server over port 443. Refer to your load balancer's documentation for assistance.

  2. Make sure that the SSL certificate you use was issued for the load balancer's host name.

  3. Configure the primary Tableau Server node as described in the procedure above.

  4. Place the same SSL certificate and key file that you used for the primary on each Tableau Server worker node that is running a gateway process. Use the same folder location on the workers that you used on the primary.

    If you are using mutual ssl, place the SSL CA certificate file you used for the primary on each worker node that is running a gateway process. Use the same folder location that you used on the primary.

    You do not need to do any additional configuration on the workers.

    For example, say you have a cluster that includes a primary Tableau Server node and three worker nodes with gateway processes are running on the primary, Worker 2 and Worker 3. In this situation, you configure the primary Tableau Server for SSL, then copy the same SSL certificate and key files to Worker 2 and Worker 3. Because these files are in C:\Program Files\Tableau\Tableau Server\SSL folder on the primary, they are in that same location on Worker 2 and Worker 3.

You can configure a Tableau Server cluster to use SSL. If the primary Tableau Server computer is the only node that is running the gateway process (which it does by default), then that's the only place where you need to configure SSL. See the procedure above for steps.